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Abstract 

In Part I of this two-part paper on confidential communication over wireless channels, we studied 
the fundamental security limits of quasi-static fading channels from the point of view of outage secrecy 
capacity with perfect and imperfect channel state information. In Part II, we develop a practical secret key 
agreement protocol for Gaussian and quasi-static fading wiretap channels. The protocol uses a four-step 
procedure to secure communications: establish common randomness via an opportunistic transmission, 
perform message reconciliation, establish a common key via privacy amplification, and use of the key. 
We introduce a new reconciliation procedure that uses multilevel coding and optimized low density parity 
check codes which in some cases comes close to achieving the secrecy capacity limits established in 
Part I. Finally, we develop new metrics for assessing average secure key generation rates and show that 
our protocol is effective in secure key renewal. 
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I. Introduction 

Part I of this two-part paper was devoted to the information-theoretic security limits of a wireless 
communications scenario with quasi-static fading. The analysis was carried out in terms of outage 
probability and outage secrecy capacity, both for perfect and imperfect channel state information. In the 
second of this two-part paper we discuss the practical aspects associated with coding and modulation for 
the Gaussian and quasi-static fading wiretap channels. Virtually all systems today separate the problems of 
reliable and secure communications and provides them in a tandem fashion, where reliable communication 
is dealt with at the physical layer and security is provided at a higher layer (e.g. the network, transport or 
application layers) after the physical layer has been established. In this paper we show how modern 
physical layer tools, such as modulation, multilevel coding (MLC) and error control codes can be 
combined with key agreement protocols to, in some cases, come close to the fundamental limits described 
in Part I of this paper. 

The general problem of physical layer-based coding and modulation schemes for both reliable and 
secure communication over Gaussian and fading wiretap channels has not received much attention and 
there is no larger framework to draw on, even with the sustained advances in the area coding and 
modulation for Gaussian and fading channels [4], [5]. Much of previous work for the wiretap channel 
stems from the early work [6] and [7] and studied more extensively by Wei [8]. This work shows how to 
encode secret information using cosets of certain linear block codes. More recently, this general notion 
has been extended by Thangaraj et al. [9] where it was shown how low density parity check codes can 
asymptotically achieve the secrecy capacity for the erasure wiretap channel, and how it can be used to 
provide perfectly secret communications at rates below the secrecy capacity for other channels. Thangaraj 
et al. [9] also showed how the joint problems of reliability and security interact in a code and how capacity 
approaching codes for the reliability problem can be used for reliability and security requirements of the 
wiretap channel. Existence of coding schemes for various generalized wiretap channel scenarios has been 
proved by several authors recently [10], [11], [12]. In particular, the existence of coding methods based 
on LDPC codes has been shown in [12]. 

Since designing wiretap codes for Gaussian and fading channels appears to be beyond the capabilities of 
current coding techniques, we focus on the somewhat easier problem of generating secret keys for secure 
communication over wireless channels. The key generation/distribution problem in wiretap channels falls 
under the general problem of key generation from correlated source outputs, which has been studied [13], 
[14], [15] in an information theoretic context. The objective of secure key distribution is for Alice and 
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Bob to agree on a common /c-bit key about which Eve's entropy is maximal. In key distribution, the k bits 
can be unknown to Alice before transmission, this is in contrast to secure message communication where 
Alice has a /c-bit message that she wants to communicate to Bob, we focus only on the former. Powerful 
tools such as common randomness, advantage distillation and privacy amplification were developed in 
the context of key distribution over wiretap channels ( [15], [16]) and will be discussed, as they form the 
basis for much of the practical secret key agreement protocol proposed in this paper. Most of the key 
agreement protocols require some level of interactive communication between Alice and Bob to arrive at 
a common but secret key [13], where they exchange information by way of a parallel, error-free public 
channel between Alice and Bob during the key agreement phase (e.g. [17]). One key advance in this 
paper is that we focus exclusively on protocols that require only one-way, feed-forward communication 
from Alice to Bob across the noisy wireless channel and there is no need for a noiseless, authenticated 
public channel. 

A. Our Contributions 

Our main contributions are as follows: 

• Development of a secret key agreement protocol for the Gaussian channel that performs close to 
the fundamental secrecy capacity limits (determined in Part I) over a wide range of channel values. 
The communication is from the transmitter-to-receiver only and requires no feedback or error-free side 
channels. 

• Adaptation of the secret key agreement protocol for the Gaussian channel to the quasi-static fading 
channel with perfect channel state information. In some cases this protocol comes close to the funda- 
mental limits of the wireless fading channels presented in Part I. Again, the communication is from the 
transmitter-to-receiver only and requires no feedback or error-free side channels. 

• Extension of the secret key agreement protocol for the quasi-static fading channel to the case of 
imperfect channel information. 

• Development of new security and communication metrics, such as average rj-secure throughput and 
average •q-communication throughput for average secret and non- secret bits, respectively, transmitted per 
channel use on the wiretap channel. 

B. Organization of the Paper 

The remainder of the paper is organized as follows. In Section JI] we consider a one-way protocol 
for key agreement for the Gaussian channel. In Section HIT] we give a new reconciliation procedure for 
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the Gaussian channel that is based on multilevel coding and LDPC codes. In Section JV] we extend 
this protocol in an opportunistic way to the quasi-static fading channel and show that in some instances 
(when both the main and wiretapper's channel have low SNR) that the protocol comes very close to the 
secrecy capacity. We also show how the effect of imperfect channel knowledge on the performance of 
the protocol. Finally we provide concluding remarks and next steps. 

II. Secret Key Agreement over Gaussian Channels 

As a prelude to the problem of coding for the quasi-static fading wiretap channel, we develop a protocol 
for the Gaussian wiretap channel shown in Figure Q] 

Gaussian noise AT (0, N M ) 



Alice 



encoder 



decoder 



Yw 


decoder 









Bob 



Eve 



f 

Gaussian noise A^(0, Nw) 



Fig. 1. The Gaussian wiretap channel. 



It is assumed that both channels are discrete time additive Gaussian noise channels with an average 
transmitted power constraint of 1 and the noise on Eve's channel is independent of the noise on the 
main channel between Alice and Bob. The noise variances for the main and wiretap channel are denoted 
respectively Nm and Nw- Furthermore we assume that Eve's wiretapper's channel is worse than the main 
channel, namely Nw > Nm- This critical assumption is necessary to ensure that the secrecy capacity 
is strictly positive [18]. If noiseless feedback is allowed between Bob and Alice, then Nm > Nw is 
permitted and the secrecy capacity can be positive [13], however we consider only the case of one-way, 
noisy communications from Alice to Bob and Nw > Nm- There are a number of practical scenarios 
where this assumption is valid, for example radio frequency identification (RFID) tags and readers with 
a passive eavesdropper [19]. 

Although the secrecy capacity of the Gaussian wiretap channel has been fully characterized [18], 
designing practical coding schemes is still an open problem. On the other hand, previous results on 
secret key agreement by public discussion [13] and privacy amplification [16] naturally suggest a four 



4 



step approach to secure communication over a wiretap channel: randomness sharing, information rec- 
onciliation, privacy amplification, secure communication. In this section we show how to adapt these to 
the Gaussian channel. The following protocol exploits a more general and more efficient version of the 
information reconciliation method of [17] and is shown in Figure [2] Some of the four steps are adapted 
directly from previous work and not modified, while others require further development as given later in 
the paper. 
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Fig. 2. The four-step procedure for secret key agreement on the Gaussian channel. 



1. Randomness sharing. The existence of common information between Alice and Bob is the key 
ingredient required for secret key agreement. In a wiretap scenario, Alice can generate this shared 
randomness by transmitting a sequence X n = (X±, . . . , X n ) of n i.i.d. realizations of a discrete random 
variable X over the main channel, which will provide Bob and Eve with sequences of correlated 
continuous variables Y M = (Ym,i, ■ ■ ■ , Ym,u) and Yfy = (Yyy,i, ■ ■ ■ ,Y\y, n ) respectively. In Figure |2] 
the dotted lines indicate the transmission across the Gaussian channel to Bob (and Eve, not shown here). 

Since the amount of secrecy extractable from this common randomness is known to be at least [13] 

Smin > I(X; Y M ) - min (I(X; Y w ), I(Y M ;Y W )) bits/symbols, (1) 

the mutual information I(X; Ym) should be maximized and Alice should therefore choose X achieving 
the capacity Cm = 0.5 log 2 (l + 1/Nm) of the main channel. Matching Cm exactly is only possible with 
continuous Gaussian random variables, however the set X and the probability mass function of X can 
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be optimized so that I(X; Ym) lies within hundredth of bits of the channel capacity Cm even with 
a discrete distribution. For a fixed number of constellation points N c = this optimization can be 
performed with the algorithm proposed in [20], however a very good approximation of the optimum 
can simply be obtained by expanding a uniformly spaced amplitude shift keying (ASK) constellation 
{%i} i= i N = {ilj ±3, . . . , =fc jVc 2 ~ 1 } by a factor a € M + , and using a Maxwell-Boltzmann probability 
distribution 



Even though I(X;Ym) is not a convex function of a and A, non-linear programming seems to be 
relatively insensitive to the initialization of the optimization. Clearly, N c should be large enough so that 
I(X;Ym) can approach Cm within the required precision, its exact choice will be discussed in the 
Section [Till 

2. Information reconciliation [21]. The channel noise introduces discrepancies between Bob's received 
symbols Y M and Alice's symbols X n . The first step is for Bob to estimate Alice's symbols X n = 
. . . ,Xnj based on Y M . The channel noise results in discrepancies in the correlated bit sequences 
X n and X n that Alice and Bob will correct and reconcile before any further processing. This requires 
an additional exchange of information between Alice and Bob as shown in Figure |2l which is also made 
available to Eve. This situation can be viewed as a special case of source coding with side-information, 
where Alice compresses her source X n and Bob decodes it with the help of correlated side information 
YJ^. The Slepian-Wolf theorem [22] yields a lower bound on the total number of bits M rec which have 
to be exchanged: 



Notice that the result of [22] only applies to discrete random variables whereas here Ym is continuous. 
The variable Ym can however be quantized into a discrete random variable Y q such that H{X\Y q ) 
approaches H(X\Ym) with arbitrary precision, and the Slepian-Wolf Theorem still holds. 

Practical reconciliation algorithms will introduce an overhead e rec > and require the transmission 
of M rec = uH(X\Ym)(1 + f-rec) additional bits. The reconciliation can also be characterized by its 
efficiency j3 which is defined as 




(2) 



M rec > H{X n \Y M ) 



nH(X\Y M ). 



(3) 
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(3(e rec ) = 1 - e. 



rec 



H(X\Y M ) 
I(X;Y M ) 



< 1. 



(4) 



At the end of the reconciliation step, Alice an Bob share with high probability the common sequence 
X n whose entropy is n rec = nH{X). We will assume that X n is then compressed into a n rec -bits binary 
sequence S. For our application to the Gaussian wiretap channel we use multilevel coding (at Alice) and 
multistage (MS) decoding (at Bob) to reconcile and correct the differences between X and X and this 
is discussed in detail in Section JII] 

3. Privacy amplification [16]. This last operation allows Alice and Bob to extract a secret key from 
the binary sequence S. The principle of privacy amplification is to apply a well-chosen compression 
function g : {0, l} nrec — > {0, l} k (k < n rec ) to the reconciled bit sequence, such that the eavesdroppers 
obtains negligible information about the final /c-bit sequence g(S). In practice this can be achieved by 
choosing g at random within a universal family of hash functions [23], as stated in the following theorem. 

Theorem 1: [16, Corollary 4] Let S 6 {0, 1}™"° be the random variable representing the bit sequence 
shared by Alice and Bob, and let E be the random variable representing the total information available 
to the eavesdropper. Let e be a particular realization of E. If the Renyi entropy (of order 2) R(S\E = e) 
is know to be at least c, and Alice and Bob choose K = G(S) as their secret key, where G is a hash 
function chosen at random from a universal family of hash functions Q : {0, l} n ' ec — » {0, l} fc , then 



The total information available to Eve E consists in the sequence received during the first stage of 
the protocol, as well as the additional bits echanged during reconciliation, represented by the random 
variable M. As shown in [24, Theorem 5.2] : 



R(S\Y$ =y^,M = m)> R{S\Y$ = y™) - log 2 |M| - 2s - 2 with probability 1 - 2~ s . (6) 



The quantity log 2 \M\ represents the number of bits intercepted by Eve during the reconciliation, which 
is at most nH(X\Y m ){l + e rec ) if she intercepted all the information. Evaluating R(S\YJy = y^) is in 
general still difficult, however conditioned on the typicality of the bit sequence [25] R(S\YJy = y 7 ^) and 
H(S\Yyy = y'w) become equal. Hence if n is large enough, nH(X\Y\y) — uH(X\Ym)(1 + (-rec) — 2s — 2 
is a good lower bound of R{S\E = e), and choosing 



guarantees that Eve's uncertainty on the key is greater than k — 2 n, /ln2 with probability 1 — 2 s . 
For our protocol in this paper we do not develop anything new, and we use standard families of hash 
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H(K\G,E = e)>k 



In 2 ' 



(5) 



k = n/3I(X; Y M ) - nI(X; Y w ) - 2s - 2 - r 



(7) 



functions [23], [26]. 

4. Secure communication. The secret key generated K = G(S) can finally be used to secure Alice's 
message, using either a one-time pad for perfect secrecy or a standard secret key encryption algorithm 
and Eve's uncertainty H(K\G, E = e) about the key is as close to k as we want as per ((5]). 

III. LDPC Constructions for Gaussian Reconciliation 

In this section we develop an efficient reconciliation approach for Step 2 of the key agreement. The 
reconciliation of binary random variables has been extensively studied and several efficient methods have 
been proposed [21], [27], however little attention has been devoted to the practical reconciliation of 
non-binary random variables [17]. As stated previously the goal is given a non-binary variable X with 
distribution given by Eq. (f2]) and a random variable Ym obtained by sending X through an additive 
Gaussian channel with noise variance Nm, to generate a minimum amount of (parity) information to be 
sent to Bob so that X can be recovered from Ym and this additional information. 

A. Multilevel LDPC Codes for Slepian-Wolf Compression 

We assume here that Alice and Bob have, respectively, access to the outcomes x n = {xi} i=0 n-1 € X n 
and y n = {yi} i=0 n _ 1 € 1" of instances of the random variables X N and Y M . Alice sould then send 
Bob additional information to help him recover x n based on y n , and we can assume without restriction 
that Bob recovers a binary description of x n . Since each element of X can be uniquely described by a 
m-bit label (m > log 2 \X\), we introduce the m labeling functions : X — > {0,1} (k £ {0 . . . m — 1}), 
which associate to any element of X the fcth bit of its binary label. As suggested in [28], we can then 
use the syndromes of {^k{ x i)}k~=o "m-i according to a binary code as the additional information sent by 
Alice to Bob. 

Because of the particular correlation considered here, the reconciliation of X and Ym is similar to a 
coded modulation scheme, where Alice would transmit her data over a Gaussian channel using a Pulse- 
Amplitude-Modulation scheme. Most standard modulation techniques such as Bit Interleaved Coded 
Modulation (BICM) [29] or MultiLevel Coding/MultiStage Decoding (MLC/MSD) [30] schemes can 
therefore be adapted to reconciliation. In the case of a BICM-like reconciliation, a single syndrome 
would be computed based on an interleaved version of the bit sequence n m ^_^, whereas 

in the case of MLC/MSD-like reconciliation, the m syndromes of the sub-sequences {ik(xi)} i=0 n _ 1 
(k G {0 ... m — 1}) would be computed successively, as illustrated in Figure [3] 
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Fig. 3. Principle of MLC/MSD reconciliation in the case m=2. 



In what follows we will describe a reconciliation algorithm adapted from the last scheme. This choice 
was motivated by the fact that BICM is known to be suboptimal over the Gaussian channel, hence the 
reconciliation of the variables X and Ym with a BICM-like scheme would always require strictly more 
that H{X\Ym) additional bits per symbol. Moreover MLC/MSD is based on several components codes 
and therefore offers more flexibility on the code design than BICM. 

The proposed reconciliation algorithm is a MLC/MSD-like reconciliation that uses binary LDPC 
component codes. Other classes of codes such as Turbo-Codes could be used as well, however LDPC 
have already proved their good performance for error-correction and side information coding [31], and 
the Belief-Propagation algorithm can easily be generalized to account for the correlation between the 
sub-sequences {l/t(fe)}i=o n-i e {0...m — 1}). We use the following notations to describe the 
algorithm: 

. b k = l k {xi) (i G {0 . . . n - l},k G {0 . . . m - 1}), 

• c(k) represents the number of check nodes at the kth level (c(k) depends on the rate R k of the code 
used at level k and will be discussed in the next section), 

• rnf-j denotes the message from a variable node v k (i € {0 ... n — 1}) to a check node Cj (j G 
{0 . . . c(k) — 1}) of the kth level at the /th iteration , and similarly rn^ denotes the message from 
a check node c k , to a variable node v} of the kth level at the /th iteration, 

• M. k denotes the set of all check nodes connected to the variable node v k of the kth level, and M k 
denotes the set of all variables nodes connected to the check node c k of the kth level, 

• s(c) is the syndrome bit associated to a check node c. 
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The m levels are then decoded successively, and the update equations of the messages at the Ith 
iteration of the belief propagation at a given level k are described below : 



Vz e {0...JI-1}, Vj G Mi m 
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m f' 0) if 1 = 0, 



m 
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(11) 



If the Tanner graphs of the LDPC component codes are trees, it can be shown that the values A 
converge to the true a posteriori probabilities : 



(k,i) 



V 



&* = 1|6°...&; 



fc-i 



Vi 



V 



b k ~ l v 



(12) 



6* = 0|6?...,6# 

in a finite number of iterations, and the decision on the value of b\ can finally made based on the sign 

(k I ) 

of \) ' max > _ i n practice, even when the Tanner graphs contain cycles, this belief -propagation algorithm 
still performs well. 

The only difference between Eq. (l8l)-([T0l) and the standard update rules belief propagation is the term 

(k 0) 

m\ , which takes into account not only the intrinsic information available from the observation yi, 
but also from the decoding of the other levels p ^ k. Eq. (fTTT) is similar to the update rule of a single- 
input single-output (SISO) demodulator, however it should be noted that it involves the joint probability 
p(y,x) (and not the conditional probability p(y\x)) to take into account the non-uniform distribution 
of the symbols in X. In theory, it should be sufficient to decode each level only once, however in 
practice performing several iterations between the levels might help improve the performance of the 
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overall scheme. These practical issues will be discussed in the next section. Let us finally point out that 
the algorithms described in [32], [33], [31] can all be viewed as special cases of this general algorithm. 

B. Rate Assignment 

The optimal code rates required for each sub-sequence {£k(xi)} i=0 n _ 1 are those required for Multi- 
stage Decoding. In fact, from the chain rule of entropy we have : 

H(X\Y M ) = H{£q{X), . . .,£ m ^(X)\Y M ) = £ H(£ k (X)\£ (X), . . . ,4-iPO, Y M ). (13) 

k 

Hence the H(X\Ym) bits per symbol required for reconciliation can be obtained by disclosing succes- 
sively H(£k(X)\£o(X), . . . ,£ k -i(X), Ym) bits per symbol. The optimal code rate required at each level 
k is therefore : 

R k opt = l-H(£ k (X)\£ (X),...,£ k ^(X),Y M ). (14) 

Eq. (fl"3l guarantees the optimality of the reconciliation scheme for any labeling, however the practical 
efficiency of the reconciliation strongly depends on the mapping used. In fact the performance of the 
reconciliation relies on our ability to construct capacity approaching codes for all levels k, which might 
not be possible if the required rates are too low. We investigated several labeling strategies and found 
out that the natural binary mapping was the best compromise. This mapping assigns to each symbol 
Xj E X the ?n-bit representation of j + (2 m — |A?|)/2, and £ k (xj) is then the kth label bit (£o(xj) is the 
least significant bit). Figure @] shows the rates required for a constellation of size 10, with symbols and 
probabilities given in table |TJ as a function of the signal to noise ratio 101og 10 (l/iVjvf). 

TABLE I 

Constellation optimized to maximize I(X; Ym) at a SNR of 13 dB. 
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Over a wide range of SNRs, the optimal rates of the two uppermost levels are equal to 1, which greatly 
simplifies code design by effectively requiring only two codes. We carried out extensive simulations, 
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25 

Fig. 4. Optimal code rates required for the constellation of table U 

and observed that for any value of the SNR, adjusting the constellations size N c so that H(X) m 
0.51og 2 (l + SNR)+\ would require at most two codes while still maintaining I(X;Ym) within a few 
hundredth of bits of its maximum value. 

The natural mapping has the property of preserving the symmetry on the probability distribution of 
the random variable X: 

V£e{o,...,m-l},VyeIR,V%e;r p(y,40%)) = p(-y,4(%) © !)• (15) 

When first decoding the Oth level, this property implies that the equivalent channel seen by the bits 
is output-symmetric and that these bits are also uniformly distributed. In this case the probability of 
decoding error is the same for linear LDPC codes and LDPC coset codes, which allows us to use linear 
LDPC codes designed with the standard density evolution method [34]. This property no more holds 
when decoding the following levels, however recent results suggest that linear LDPC codes may still 
perform well with our coset coding scheme [35]. In order to further simplify the code design, we used 
irregular LDPC codes optimized for antipodal signaling over the AWGN channel as component codes. 
The block length used was 200,000 and graphs were randomly generated while avoiding cycles of length 
two and four. Despite this long block length, the perfomances of all constructed codes were still well 
below those of their ideal capacity achieving counterparts, and perfect error-correction can therefore only 
be achieved by using lower rates codes at each level. Cutting down the rate of all component codes would 
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SNR (dB) 



disclose far too many bits, however a careful choise of the code taking into account multiple iterations 
between levels make it possible to maintain a good efficiency. 

The practical code rate assignment is based on an analysis of the decoding process using EXIT 
charts [36]. Although there exist no theoretical results associated with EXIT charts for the Gaussian 
channel, they are a convenient tool to predict the exchange of information between the demappers 
and decoders involved in an iterative decoding scheme, based on how much extrinsic information (Ie) 
they compute from a priori information (I a)- There is no closed-form expression of the EXIT curve 
Ie = T^{Ia) of the demapper characterized by Eq. (fTTT ) and of the LDPC EXIT curve Ie = T c (Ia) for 
100 iterations, however they can be obtained via Monte-Carlo simulations assuming Gaussian a priori 
information [36]. Example of transfer curves are shown in Figure [5] We observed that low rate codes 
gather extrinsic information at a slower pace than high-rate codes, therefore we decided to correct all 
errors by reducing the rate of the highest-rate code and by using iterations between levels to compensate 
for the poor performance of the lower rate code. 

Let us now illustrate how code rates can be chosen on an example. We consider the situation where 
the SNR is 13 dB, for which the optimal constellation is given in table HI One would in theory need two 
ideal codes with rate 0.264 and 0.928. We used instead a code with rate 0.25 at the first level and looked 
for a high rate code that would gather enough extrinsic information to start the decoding process and 
correct all errors with an a priori information of 0.928. As shown in Fig. [5J a code with rate 0.86 was 
a good compromise. It is interesting to note that despite the approximations made in the computation of 
the EXIT curves, the real decoding trajectory is close to the expected behavior. 

C. Efficiency results 

The results obtained for various values of the noise variance are summarized in table ITT] For each SNR, 
the size of the constellation X, the position of the constellation points and the probability distribution 
were optimized according to the procedure described in section [TTJ to ensure \I(X;Ym) — Cm\ < 
0.005 bits while limiting the number of required codes to two. Let us point out that our method achieves 
good efficiency provided that two conditions are met. First, the constellation size required to maximize 
I(X;Ym) should be \X\ > 4 so that two LDPC codes can be used. Second, the codes rates required 
should not be too small so that we can construct good finite length codes. In practive this limited our 
simulations to situations where the SNR was above 2 dB. 
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Fig. 5. Iterative decoding trajectory averaged over 10 realizations. 



TABLE II 

Efficiency results. 



101og 10l 4 


\X\ 


I(X; Y M ) 


Cm 


H(X) 


Optimal rates 


Practical rates 


Efficiency 


2 dB 


4 


0.684 


0.685 


1.603 


0.189/0.891 


0.16/0.86 


90.9% 


7 dB 


6 


1.291 


1.294 


2.109 


0.257/0.925/1 


0.24/0.86/1 


90.9% 


10 dB 


8 


1.726 


1.730 


2.502 


0.286/0.938/1 


0.27/0.88/1 


95.71% 


13 dB 


12 


2.192 


2.194 


3.000 


0.264/0.928/1/1 


0.25/0.86/1/1 


96.15% 


20 dB 


28 


3.327 


3.329 


4.149 


0.254/0.923/1/1/1 


0.24/0.86/1/1/1 


97.6% 



IV. Opportunistic Security for Wireless Communications 

This section describes an explicit secret key agreement protocol for wireless channels, exploiting the 
reconciliation algorithm described earlier. The proposed scheme closely follows the general approach 
presented in section HH however all steps are modified to take into account the specific nature of the 
channels. 

A. System Setup 

We consider the wireless system depicted in Fig. [6] Bob and Eve respectively observe the symbols 
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Fig. 6. Wireless system setup. 



sent by Alice through discrete-time Rayleigh-fading channels given by 

y M {i) = h M (i)x{i) +n M (i), (16) 
yw(i) = hw(i)x(i) + nw(i), subject to i?{|X(i) 2 || < 1, (17) 

where h*M (*) (^w(O) denotes the zero-mean fading coefficient of the main channel (wiretap channel), and 
riM(i) (nw(i)) is a zero-mean complex Gaussian noise with variance Nm (Nw)- We further assume the 
fading coefficients and the noises to be independent, and the fading coefficients to remain constant over the 
transmission of several consecutive symbols (quasi-static fading). The instantaneous SNRs corresponding 
to a single realization (hM,hw) of the fading coefficients are denoted jm = \h,M\ 2 /NM and ~fw = 
\hw\ 2 /Nw, and the instantaneous capacities are then Cm = log 2 (l +7m) and Cw = log 2 (l + lw)- As 
shown in [37], the instantaneous secrecy capacity is 

I C M -C W if7M>7vy 
C s — < (Is) 

[ if 7A/ < 7vy- 

B. Secure Communication Protocol 

The fluctuations of the instantaneous secrecy capacity C s with time suggest the following opportunistic 
secret key agreement scheme (see also Fig. |7]). 

• Opportunistic transmissions. When the estimated instantaneous secrecy capacity C s and the in- 
stantaneous main channel capacity Cm computed using the available CSI are greater than some 
thresholds C* > and C M > 0, Alice transmits random symbols at a rate equal to the capacity Cm 
using a Gaussian shaped Quadrature Amplitude Modulation scheme. We assume that Bob knows the 
channel fading coefficient Hm and detects coherently the symbols sent by Alice, hence the fading 
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channel can be viewed as two independent real Gaussian channels. The QAM constellation required 
to send close to Cm bits/symbols can therefore be obtained by replicating the PAM scheme decribed 
in section [HI in two dimensions. This phase is called "opportunistic transmission" since Alice and 
Bob take advantage of the channel realizations where they know they can exchange more information 
than Eve can intercept. The threshold C M is imposed by the reconciliation method which fails below 
a certain SNR, the choice of the threshold C* will be discussed in the next section. 
Reconciliation and privacy amplification. When the estimated secrecy capacity or main channel 
capacity fall below their respective theresholds, Alice and Bob extract a secure key from the shared 
randomness previously obtained. The reconciliation algorithm described in section [III] allows Bob 
to recover Alice's symbols exactly, while limiting the additional information sent over the channel. 
Privacy amplification with universal hash functions is then used to distill a secret key, taking into 
account all the information leaked to Eve during the opportunistic transmission and reconciliation 
stages. 

Secure communication. Alice and Bob can finally use their secret key to transmit messages, using 
either a one-time pad to ensure perfect secrecy or any symmetric cypher. 
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Fig. 7. Flowchart of the opportunistic protocol. 



Notice that the randomness sharing and privacy amplification steps rely at this point on a perfect 
estimation of the fading coefficients to calculate the instantaneous secrecy capacity and then correctly 
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estimate the length of the secret key to distill. As we will see shortly, this assumption can be somewhat 
alleviated to consider a more realistic situation where only imperfect CSI (or a conservative estimate) is 
available for the wiretap channel. 

V. Results 

A. Performance Measures for Information-Theoretic ally Secure Communications 

The performance of the opportunitic protocol in the case of perfect channel state information will 
be evaluated with the following two measures: average -q-secure throughput T s (rj) and the average r\- 
communication throughput T c (rj) . The average 77-secure throughput T s (r)) is defined as the average 
number of secured message bits transmitted per channel use, where rj is the ratio of secret-key bits used 
per message bits (77 < 1). Note that in a secret key agreement scenario, the secret-key generation rate 
does not contribute to the 77-secured throughput since the key itself does not convey any information. 
When rj = 1, T s (rj) corresponds to a perfectly secure communication obtained with a one-time pad 
encryption, whereas T s {rj) for i] < 1 only represents an encrypted message rate with secret keys. If 
k s is the key length required for encryption, the corresponding key renewal rate is k s /rj. Similarily the 
average 77-communication throughput T c (r/) is defined as the average number of non-secure message 
bits transmitted per channel use. In the case of secret-key agreement, the communication rate used for 
reconciliation and privacy amplification has to be deduced from the total communication throughput. 

Let us now evaluate T s (rj) for our protocol. Let V = {('Jm, 7w) '■ C s > C*, Cm > C M } be the set of 
fading realizations for which an oportunistic transmission is performed and let V denote its complement in 
Ej_. For a given random variable X depending on the fading realization, let {X) v denote its average over 
all fading realizations in V. We will assume that fading coefficients remain constant over the transmission 
of n 3> 2s + 2 + ro symbols, where s and r$ are the safety parameters used during privacy amplification. 
We can then the neglect the penalty inflicted by privacy amplification and assume that the opportunistic 
transmissions provide on average 

(PI(X; Y w ) - I(X; Y w )) v « (pC M - C w ) v (19) 

secret key bits per symbol transmitted, which can then be used to secure 

T s (r ] ) = r ] ~ 1 (f3CM-C w ) v (20) 

bits of message per symbol. From section |nij we know that reconciliation requires the transmission 
of (H(X\Y M ) + (1 - /3)I(X;Y M )) V ~ (H(X) - (5C M ) V additional bits per symbols on average. The 
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minimum size of a universal familiy of hash functions Q : {0, l} n ' ec -> {0, l} k is at least 2 n —~ k [38] 
and privacy amplication therefore requires the transmission of n rec — k bits. No hashing scheme is known 
to achieve this bound for any n rec , therefore we will consider the more realistic situation where privacy 
amplification requires the transmission of n rec bits. For instance, this can be achieved with the following 
family [26]: 

WGF(2»«.Wo,i}»*.» = ^ c : c G GF ( 2n ™ c )} , (2D 
where h c (x) is defined as n\. ey distinct bits of the product cx in a polynomial representation of GF(2 nrec ). 
Finally, since the maximum number of non-secure bits transmitted is at most the capacity of the main 
channel, we obtain: 

%(V) = (C M )v ~ (H(X) - (3C M ) V - (H(X)) V - rf x ^C M - C w ) v . (22) 

Notice that T c (rj) may be negative when V(C S > C*) ^> V{C S < Cf). This situation corresponds to a 
regime where Alice and Bob generate keys faster than they use them, which can be avoided by adjusting 
the parameter Ct so that T c (r]) remains positive. In the remaining of the paper, we will be interested in the 
ultimate performance of the protocol, therefore according to section [III] we will assume H(X) w Cm + 2 
but unless otherwise specified we will use C l M = and = 1. 

The maximum average secure throughput for r\ = 1 achievable by the opportunistic protocol is shown 
Fig. M As expected the protocol is in general sub-optimal since most of the main channel capacity has to 
be sacrificed for key agreement. Interestingly when the wiretap channel average SNR ^ w is well above 
the main channel average SNR 7 M , all the additional communication required for reconciliation and 
privacy amplification as well as the communication secured by a one-time pad, can be performed when 
the secrecy capacity is zero. In this case, the protocol incurs no loss of secure communication rate. 

Fig. H] shows the secure throughputs obtained for different values of rj. Strictly speaking, the protocol 
does not provide any information theoretic security in this regime, since the keys generated are used to 
encode several bits. Nevertheless, this result shows that the protocol provides an efficient and potentially 
fast way of exchanging information-theoretically secure keys. In this mode of operation, it could be 
tailored with standard secure encryption algorithms (such as the AES with 192 bits) to strenghten the 
current level of security of wireless communications. 

B. Mitigating the Effects of Imperfect CSI 

Let us now briefly discuss the impact of imperfect channel state information. We can reasonably assume 
that Bob cooperates with Alice, which allows her to obtain a perfect estimate of the main channel fading 
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Fig. 8. Average secure throughput (thin lines) and average secrecy capacity (thick lines). All throughputs are normalised to the 
channel capacity of a Gaussian channel with same average SNR j M . 
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Fig. 9. Secure throughput for various values of 77. 
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coefficient. Unfortunately Eve may not be as helpful and Alice's knowledge of the wiretap fading is more 
likely to be noisy. In order to assess the performance of our protocol under more realistic conditions, 
we model Alice's estimate of Eve's fading coefficient by hw = hw + nw, where hw is the true fading 
coefficient and nw is a zero-mean complex Gaussian noise with known variance a 2 per dimension. If 
Alice applies the previous protocol blindly, her estimation C s of the instantaneous secrecy capacity will 
generally differ from the real secrecy capacity C s . The situations where C s < C s do not impact the 
secrecy of the key agreement, however when C s > C s , Alice understimates the information leaked to 
the eavesdropper and subsequently generate keys whose entropy is not maximum. Let K denote the 
fc-bit key generated by Alice based on her estimation C s . From theorem [TJ the uncertainty on K of the 
eavesdropper is bounded as follows: 

2n(C w -Cw)-r <yn(Cw-C\ V -a) 

k>H(k\G,E = e)>k — = k — , (23) 

where we have introduced the parameter a = r /n. As long as Cw — C\y < a, the uncertainty of the key 
K lies within 1.5 bits of its maximal value and can be regarded as secret, however when Cw — CW > a 
the lower bound on H(K\G,E = e) decreases exponentially in the difference Cw — Cw — a. 

The introduction of imperfect CSI and the use of the parameter a slightly modify the expression of 
the average secure and communication given by Eq. (l20l and (l22l . Let V = |(7m,7h/) : C s > C*|, 
then 

T S ( V ) = rHCs-ajv (24) 
%{V) = (C M )^-{H{X)-C M ) v -(H{X)) v - n - l {C s -a) v . (25) 

The threshold C* > a should once more be chosen such that T c {rf) > 0. Contrary to the situation where 
perfect CSI is available, the average secure throughput defined above is not sufficient to characterize 
the security of the system. In fact it only represents Alice's targeted secure communication rate, which 
might be different from the true secure communication rate. Hence we need to introduce the true average 
secure throughput 1Z S and the average leaked throughput IZi defined as: 

lis = rHC s -a) Vs , (26) 
K c = ^(Cs-a)^, (27) 

where V s = {(j M ,lw) ■ C s > C*,C S - C s < a} and V l = {( 7 k,7w0 : C s > C l s ,C s - C s > a}. 
These expressions cannot be computed in close form but can be obtained with Monte-Carlo simulations. 
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Fig. 10. Impact of imperfect CSI. Thicker lines represent the estimated average secrecy capacity. The diamond lines (o) represent 
Alice's targeted average secure throughput with her imperfect CSI, the square lines (□) and circle lines (o) respectively represent 
the true average secure throughput and average leaked throughput. All throughputs are normalised to the channel capacity of a 
Gaussian channel with same average SNR 7 M . 



Figure ITOl shows the results obtained for an estimation noise variance of a 2 = 10 and a 2 = 0.0001 when 
r] = 1 and q = (i.e. the safety parameter tq <C n). 

Interestingly when Alice has a bad estimation of the wiretap channel fading coefficient and if the 
main channel SNR is well above the wiretap channel SNR, most of the keys generated are still secret. 
This unexpected behavior can be explained by the asymmetry of the distribution pi'ywllw) which forces 
Alice to undersestimate Cw most of the time. On the other hand when her estimations of the wiretap CSI 
improves, she becomes equally likely to overstimate or understimate Cw, therefore 1Z C w 1Z S and half 
of the keys generated are then insecure. The impact of imperfect of imperfect channel state information 
can be somewhat mitigated by increasing the parameter a. In fact, a > plays the role of a safety 
margin and reduces the length of the generated keys. By increasing a, the average leaked throughput can 
be made arbitrarily small, but this also decreases the achievable secure throughput. Figure [TT] shows the 
results obtained for a = 0.1. When a 2 = 0.0001, the secure throughput loss is negligible, however this 
slight increase in a suffices to ensure the secrecy of the keys generated. The mitigation is less effective 
when a 2 = 10, and a further increase of a would be necessary to reduce the leaked throughput. 
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Fig. 11. Mitigation of imperfect CSI. Thicker lines represent the estimated average secrecy capacity. The diamond lines (o) 
represent Alice's targeted average secure throughput with her imperfect CSI, the square lines (□) and circle lines (o) respectively 
represent the true average secure throughput and average leaked throughput. All throughputs are normalised to the channel 
capacity of a Gaussian channel with same average SNR j M . 

VI. Conclusions and Future Work 

In the second of this two-part paper on wireless information-theoretic security, we proposed a protocol 
based on one-way communications providing secure communication over quasi-static wireless channels. 
This scheme opportunistically exploits the fluctuations of the fading coefficients to exchange information- 
theoretially secure keys, which are then be used to encrypt messages. We analysed the security provided 
by the protocol in the idealized case where the channel state information of the wiretap channel is known, 
but also showed that secure communication is still achievable in the more realistic situation where only 
imperfect channel state information is available. The fundamental security limits in both scenarios were 
studied in Part I. 

The performance and complexity of the proposed scheme mainly rely on those of the reconciliation 
algorithm. Our LDPC-based reconciliation method is near-optimal over a wide range of signal-to noise 
ratios, however the memory requirements and the complexity may still be too high for embedded or 
low-cost systems. In future work, we will investigate new code constructions to in order to reduce the 
hardware requirements while still maintaining the same level of performance. 
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Let us finally mention that even though the encryption used in our scheme could be performed with 
a one-time pad to ensure perfect security, the protocol may be of higher interest if tailored with existing 
secret-key encryption methods (e.g. DES, AES) to strenghten their current level of security. 
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